The present invention, in some embodiments thereof, relates to computer security and, more specifically, but not exclusively, to methods and systems of identifying security risks.
Authentication is the process of verifying the identity of a person or application. Authentication in computer systems can be done in various ways and involves acquiring account (user or application) characteristics or credentials and verifying them against a known value. Such credentials can be passwords, but also tokens, biometric characteristics and other values. Various systems of authentication exist, which employ various modes of authentication. In Windows-based networks, authentication is usually performed based on a combination of account and password (other means are also possible, such as biometrics or tokens). The three leading authentication schemes available in Windows-based networks are LAN Manager (LM), NTLM and Kerberos. In LM and NTLM, after successful authentication at an endpoint, hash values (results of computation of hash function on the password) are used to authenticate the account to other network resources. In Kerberos, tickets are used instead of hashes to authenticate the account to network resources.
Therefore, it is clear that potentially many credentials (such as passwords, hashes and tokens) exist on a machine that can serve to authenticate to network resources. Thus, there exists a risk that a malicious actor that takes control over a machine can use the credentials that exist on that machine to access other machines.
In computer security, Pass-the-Hash is a hacking technique that enables an attacker to authenticate to a resource, such as a remote server/service by using the underlying NT local area network (LAN) manager (NTLM) and/or LanMan hash of an account password, instead of requiring the associated plaintext password (or other credentials), which is normally needed for authentication. Similarly, Pass-the-Ticket is a hacking technique that enables authentication by using the Kerberos tickets associated with an account, without requiring the associated password.
In Pass-the-Hash, after an attacker obtains a valid account name and account password hashes values (which can be done using various methods and tools), he or she is then able to use that information to authenticate to a remote server/service using LAN manager (LM) or NTLM authentication without the need to brute-force the hashes to obtain the cleartext password. The attack exploits a design flaw in the authentication protocol in that the password hashes are used for authentication to network resources, thus becoming an effective equivalent to passwords.
This technique can be performed against any server/service accepting LM or NTLM authentication, whether it is running on a machine with Windows, Unix, or any other operating system. A related technique, Pass-the-Ticket, can be used to the same effect in network employing the Kerberos authentication scheme.